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Assessment for a Proposal for a legal act of the European Parliament and the Council 
laying down requirements for Artificial Intelligence 


BSA | The Software Alliance (“BSA”)! welcomes the opportunity to offer thoughts on the 
European Commission Inception Impact Assessment on a possible Proposal for a legal act of the 
European Parliament and the Council laying down requirements for Artificial Intelligence (“the 
Proposal”). BSA is the leading advocate for the global software industry before governments and 
in the international marketplace. Our members are at the forefront of software-enabled innovation 
that is fueling global economic growth, including cloud computing and Al products and services. 
BSA members include many of the world's leading suppliers of software, hardware, and online 
services to organizations of all sizes and across all industries and sectors. BSA members have 
made significant investments in developing innovative Al solutions for use across a range of 
applications. As leaders in Al development, BSA members have unique insights into both the 
tremendous potential that Al holds to address a variety of social challenges and the governmental 
policies that can best support the responsible use of Al and ensure continued innovation. 


BSA agrees with the fundamental proposition of the European Commission’s White Paper 
on Artificial Intelligence (“the White Paper”) that the public should “expect the same level 
of safety and respect of their rights whether or not a product or system relies on Al.” Of 
course, the concerns presented by the European Commission are not unique to Al. The EU body 
of laws offers strong, technologically neutral safeguards against these concerns. BSA strongly 
recommends that the Commission take stock of this body of legislation in a targeted way, identify 
possible gaps and only propose new legislation if there is no other way to rectify them, Al-specific 
or not. 


The White Paper acknowledges the challenges and promise of Al tools, and at the same time 
calls for a more thorough analysis of existing EU Legislation, to establish whether it is fit for 
purpose in protecting fundamental rights whilst fostering Al uptake. In the context of the work of 
the High-Level Expert Group on Al (“HLEG”), BSA prepared a detailed analysis of EU legislation 
impacting Al,2 which could prove helpful as the Commission moves to evaluate the sufficiency of 
current laws. Moreover, BSA would like to emphasize that Al is not developed in a vacuum in the 
EU, and that while new technologies present new challenges, the protection and enforcement of 
Fundamental Rights in the EU remain as strong as ever. BSA and its Members continue to work 





1 BSA | The Software Alliance (www.bsa.org) is the leading advocate for the global software industry before governments 
and in the international marketplace. Its members are among the world’s most innovative companies, creating software 
solutions that spark the economy and improve modern life. With headquarters in Washington, DC, and operations in 
more than 30 countries, BSA pioneers compliance programs that promote legal software use and advocates for public 
policies that foster technology innovation and drive growth in the digital economy. 

BSA’s members include: Adobe, Akamai, Atlassian, Autodesk, Bentley Systems, Box, Cadence, Cloudflare, 
CNC/Mastercam, IBM, Informatica, Intel, Intuit, MathWorks, McAfee, Microsoft, Okta, Oracle, PTC, Salesforce, 
ServiceNow, Siemens Industry Software Inc., Sitecore, Slack, Splunk, Trend Micro, Trimble Solutions Corporation, Twilio, 
and Workday. 

? Please refer to our submission to the HLEG on EU Legislation here. 
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alongside EU Institutions and Member States to support a strong EU body of law that provides 
safeguards for fundamental rights whilst fostering innovation. 


As the Commission moves to implement the White Paper, BSA would like to reiterate how 
important it would be for the Commission to carry out an in-depth inventory of EU law, 
and its application to Al, before suggesting possible legislative actions. Consistent with the 
risk-based, context-specific approach the Commission has endorsed, any proposed legislative 
changes should avoid one-size-fits-all mandates. The Al ecosystem is broad, encompassing a 
diverse range of technologies, use cases and wide array of stakeholders. Legislative updates 
must therefore be flexible enough to account for the unique considerations that may be implicated 
by specific uses cases. For instance, Business-to-Business (“B2B”) relations are radically 
different than Business-to-Consumer (“B2C”), and entail a completely different consideration and 
allocation of risk. In the B2B context, entities should remain free to use contractual negotiations 
as a mechanism for allocating risks, liabilities, and obligations in a manner that corresponds to 
the nature of the transaction. 


BSA agrees that future legislative proposals should focus on high-risk scenarios where 
the deployment of Al-based technologies poses a threat to human life and fundamental 
rights. The scope of any regulatory obligations should be a function of the degree of risk and the 
potential scope and severity of harm. Many Al systems pose extremely low, or even no, risk to 
individuals or society. To this end, it will be important to carefully assess scenarios that should 
be deemed as high-risk and hence be subject to legal requirements. BSA strongly recommends 
ensuring stakeholder involvement in this context as much as possible, especially as it will be 
sector-dependent as much as use-case dependent. BSA and its Members have participated, and 
intend to continue to be active participants, to EU and Member States stakeholder consultations. 
BSA Members are uniquely positioned to provide essential insights in the assessment of high- 
risk scenarios and use-cases of Al. 


BSA supports the possibility suggested by the White Paper to take an incremental 
approach by limiting regulation to Al systems that are (1) deployed in a high risk sector 
and (2) used in a manner that significant risks are likely to arise. Moreover, due 
consideration should be given to Al applications that enhance human decision-making, whereby 
the risk consideration — even when the two above conditions are fulfilled — is inevitably balanced 
by the human involvement and control. Furthermore, BSA urges the Commission to extend 
this two-pronged approach to all possible high-risk scenarios, rather than identifying 
specific sectors where — regardless of its purpose and use — Al would be considered high-risk 
by default. This would allow for a more homogeneous application and understanding of the 
possible requirements for high-risk Al, providing for the necessary proportionality and legal 
certainty as Al technologies and tools are developed and deployed. 


Ensuring that the definition of high-risk is appropriately tailored will be critical. Given the 
potentially far-reaching requirements of new legislative requirements for high-risk Al, it is crucial 
for Al developers and users to be able to determine with certainty if their application might fall 
within the scope of high-risk. The complexity of defining “high-risk” Al is exacerbated by that fact 
that Al may be developed for a multitude of uses — and determining whether it is “high-risk” will 
turn on how it is deployed (i.e., whether it is deployed by an end-user in a high-risk sector and 
used in a manner that creates a significantly likelinood of risk.). The methodology behind the 
definition of high-risk sectors needs to be precise and robust, with only limited exemptions. This 
will guarantee that the list remains targeted and up to date as new technologies and use cases 
emerge. 
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BSA agrees with the Commission’s analysis that legal requirements for high-risk Al applications 
“should be addressed to the actor(s) who is (are) best placed to address any potential risks” 
(White Paper p. 22). In many cases — especially in the cases of general-purpose Al systems — 
developers will not be in the position to know whether the technology is being deployed by an 
end-user in a manner that meets the definition of high-risk. Similarly, in B2B relations the 
allocation of risk will be one part of the contractual agreement between two entities, and once 
again the developer will not be best place to establish whether the application is to be deployed 
in an high-risk scenario, and what obligations that may entail in the specific sector. Developers 
are better placed to describe the capabilities and limitations of an Al system, while 
disclosing the possible impact of Al use will typically need to be the responsibility of the 
deployer. 


In this context, and in a similar vein in the liability context (please see below in the relevant 
section for more information), the Commission may want to draw from existing concepts for 
establishing which entity is “best placed to address any potential risk”, i.e. the entity that 
determines the purpose of the Al, similar to the concept of a “controller” under the GDPR. 
Article 29 Working Party guidance on controllers and processors (WP 169) describes this party 
as the “determining body” that decides the “how” and the “why” of a processing operation. 
Applying this concept in the context of Al, the “Al controller” will generally be the deployer of an 
Al system (e.g., a vehicle manufacturer that integrates an Al-driven language recognition system 
into an automobile, or a bank that uses an Al tool to score consumers for loans). In some 
instances, it may also be the operator of the Al system (e.g., a physician using assistive tools 
during surgery). 


Under the GDPR, controllers and processors have different levels of responsibility for achieving 
privacy outcomes that reflect their different roles. In particular, controllers have primary 
responsibility for satisfying certain legal privacy and security obligations and for honoring data 
subject rights requests. On the other hand, processors, which handle data on behalf of the 
controller to implement the controller’s objectives, are responsible for securing the personal data 
they maintain and following the instructions of a controller, pursuant to their agreements with 
relevant controllers. The processor/controller distinction not only provides organizations 
with a clear picture of their respective legal obligations, it also helps to ensure that data 
subjects rights are adequately protected. Accordingly, BSA recommends that the Commission 
preserves in possible Al legislation the careful distinction between controllers and processors, 
especially at a time when data protection legislation, such as the General Data Protection 
Regulation, is finally establishing a level-set amongst organizations that process data. 


In the context of enterprise Al, the tools that BSA companies provide are generally Al systems 
that facilitate human decision-making, without replacing human decision-making. With this in 
mind, it becomes clear that a company using an Al service to enable its employees to make a 
decision acts as a controller in deciding how and why that data is processed, and the Al system 
is used as a tool for processing data on behalf of that controller. Accordingly, the company 
developing and providing the Al tool is appropriately treated as a processor. This key distinction 
could also help inform the Commission’s Al workstreams, which will have to focus on sectors with 
very different definitions and approaches to risk management. Ensuring that the definitions 
and requirements for the entities involved are the same in different sectors — and founded 
in well-established practices that are equally applied cross-sectorally — would ensure a 
more harmonized approach to Al. 


BSA recommends to the Commission not to establish pre-marketing conformity 
assessment for Al systems, as such obligations are liable to turn into barriers to enter the 
market. A more scalable approach would be self-attestation, which would also be least likely to 
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unnecessarily extend time to market or unduly burden smaller operators. BSA believe that 
prescriptive regulation of Al, requiring for example that every possible use of an Al system is “fair” 
or “unbiased”, will likely be unworkable in practice. 


BSA urges the Commission not to pursue a regulatory scheme based on prescriptive 
conformity assessment requirements. The risks that Al poses and the appropriate 
mechanisms for mitigating those risks are largely context-specific. The appropriate mechanisms 
and standards for training data, record keeping, transparency, accuracy, and human oversight 
will vary depending on the nature of the Al system and the setting in which it is being deployed. 
The Commission should therefore avoid creating prescriptive, one-size-fits-all requirements 
around these categories. Such ex-ante requirements could impede efforts to address the very 
risks they are intended to address, add unnecessary costs and require extremely complex 
compliance checks. 


Given the nascent nature of the technology and sociotechnical quality of many of its most 
significant challenges, BSA believes that a governance-based approach to legislation, which 
identifies broad objectives and the processes that developers and deployers should follow to 
achieve them, will be more effective than a prescriptive one. Consistent with a governance-based 
approach, the Commission should articulate a framework that will enable stakeholders to perform 
an “impact assessment” on high-risk Al systems. In this context, BSA recommends building upon 
the work done by the HLEG and many AI developers on the Assessment List for Trustworthy 
Artificial Intelligence, in particular as it may constitute a template for future assessment tools. 
The goal of these governance processes should be to help developers and deployers of 
covered Al systems identify and quantify any relevant risks of harm to individuals or 
society and, where those risks are determined to be significant, to implement measures 
to mitigate against them. Importantly, impact assessments allow for a more context-specific 
evaluation of the types of risk mitigation measures that are available, and which is ideally suited 
for the particular deployment scenario. 


BSA acknowledges the Commission’s concern that the deployment of biometric identification 
systems can implicate heightened risks for fundamental rights. BSA welcomes the White Paper’s 
recommendation for the Commission to launch an inquiry to examine the appropriate regulatory 
framework for biometric systems, which is also reflected in the Inception Impact Assessment. 
While EU law already provides clear parameters for assessing the lawfulness of biometric 
technologies from a data protection perspective, the rules that govern the ethics and other risks 
of Facial Recognition Technologies (“FRT”) deployments are less well defined. For that reason, 
the Commission should consider specific rules governing the use of FRT by the public 
sector in particular, given the heightened risks inherent in governmental use of this 
technology. 


BSA agrees that public trust in Al is essential for “[promoting] the overall uptake of the 
technology”. However, we would urge the Commission not to pursue the creation of a 
blanket voluntary labeling system for all no-high risk systems. Given the diverse range of 
Al products and services that will be considered "no-high risk Al applications", a one-size-fits-all 
labeling scheme would be unworkable. The benchmarks for evaluating whether Al systems are 
trustworthy are likely to be highly variable, driven in large part by system functionality and 
deployment context. The relevant benchmarks for evaluating the trustworthiness of an Al system 
that recommends restaurants are likely to be quite different from those that are relevant to an Al 
system that is designed to identify what objects are in a photograph. A methodology for a labelling 
system that could apply to the entire universe of “no-high risk Al” would necessarily be very 
complex, which would limit customers’ understanding and engagement. Similarly, the governance 
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of such a scheme would be exceedingly complex and would necessarily have to cover diverse 
sectors and technologies — likely in almost all industrial EU activities. 
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